Password Reset Email Link Opens Wrong Page

Problem:

After receiving the password reset email and clicking the "Click Here" hyperlink, user is returned to the "Expired or Forgotten Password" page instead of arriving at the page to enter the new password.

 

The link in the email contains a one-time token meaning that if anyone goes to that specific URL the link will no longer work and the user is redirected to the password reset request page instead. On investigating this issue, we have found that McAfee Antivirus contains a default setting called ClickProtect which validates the URL but at the same time expends the one-time token. Other antivirus software may have a similar feature.

Solving the Problem with VON's Assistance: 

The simplest solution is to request a manual password reset from the Vermont Oxford Network.  A temporary password will be issued manually by our staff.  This password should be used to login and update your password as soon as it is received and will expire in 24 hours.

A More Permanent Solution?

Per McAfee's own discussion thread on the subject there is no global allow-list to add our domain and the Sender Allow list does not affect ClickProtect. The only solution they offer is to disable ClickProtect. Our understanding is that McAfee intends to address this issue in a future release, but that update will be on that vendor's timeline.

Other Possible Causes:

A similar problem has been observed by users of Internet Explorer 9.  The recommended solution is to use an  up-to-date version of an alternate browser such as Chrome or Firefox.  Support for Internet Explorer 9 has been deprecated by Microsoft and only applies to a few older operating systems such as Windows Vista or Windows Server 2008.  

 

Have more questions? Submit a request

Comments

  • Avatar
    Ted Kreider

    From McAfee's discussion thread:

    "The options for resolution are whitelisting the URL on the ClickProtect Allow List, or, disabling ClickProtect for specific users or the domain, the latter only being the recommended option if it's determined that the service is not compatable with a particular organization."

  • Avatar
    Ted Kreider

    Vermont Oxford Network is working on a possible solution to this issue as a revision to our own "forgot password" recovery process. If you or other staff at your center are having difficulty with this issue, please contact support@vtoxford.org. We may not have another option available yet but we do want to keep track of the burden this issue represents for our membership. Thank you.

  • Avatar
    Ted Kreider

    Additional information on safelisting sites for ClickProtect is here: https://support.mcafeesaas.com/MCAFEE/_cs/AnswerDetail.aspx?sSessionID=&aid=65895

  • Avatar
    Ted Kreider

    General Article on ClickProtect work-arounds from Mcafee:
    https://support.mcafeesaas.com/MCAFEE/_cs/AnswerDetail.aspx?sSessionID=&aid=207044